Vetting Third Parties’ Cybersecurity Measures
Kohl’s department store is facing a class action lawsuit after a third party they shared data with breached the sensitive personal information of 1.9 million users. Information stolen by hackers includes customer names, addresses, social security numbers, and other sensitive identifying information. The class action complaint alleges that Kohl’s:
· did not take any action to secure, encrypt, or otherwise protect this sensitive data being shared with the vendor;
· did not vet the vendor for sufficient data protection practices; and
· did not reduce the risk of breach by sending along unprotected sensitive information to the vendor.
The complaint further alleges that this failure to protect the shared info led to greater harm for the plaintiff and associated class when the third party at-issue had their systems breached in Feb. 2024.
This highlights the need for organizations handling sensitive information to have strong third-party risk management programs. Risks associated with third-party vendors and accompanying risk management practices for companies to consider and practice are described below.
Third-Party Vendor Risks
There are a variety of risks associated with third-party vendors who manage your organization’s data. Common third-party risks when choosing a vendor are:
1. Information Risk – potential exposure or loss of data resulting from a breach within a vendor’s system(s).
2. Reputational Risk – negative effects on public opinion caused by a data security incident involving the vendor.
3. Operational Risk – the vendor’s data management practices may disrupt the seamless function of your organization.
4. Financial Risk – financial ramifications from the vendor’s mismanagement or breach of your data
5. Legal Risk – the likelihood that a vendor will impact your organization’s compliance with applicable legislation.
Third Party Risk Management
Managing those risks is a task that organizations of all sizes must practice. While there are no one-size-fits-all approaches to managing third-party security risks, there are general steps that should be utilized by any organization seeking to mitigate risks with third-party vendors.
Identify The Vendor And The Type of Data To Be Shared
When engaging a third-party vendor that may receive sensitive information, it is crucial to include the vendor and all data going to the vendor in an inventory. This inventory should identify which teams utilize the vendor, the information being sent, and what type of information is being shared. If sensitive information (e.g., customer names, social security number, addresses, or financial account numbers) is shared with a vendor, flag the vendor to ensure stricter cybersecurity provisions are utilized. Flagging these higher-sensitivity relationships ensures that sensitive information is securely protected prior to being transferred to the vendor.
Assess The Vendor’s Security Practices
Once the flow of data between your organization and a vendor is identified, identify the vendor’s cybersecurity practices. Their security practices should align with the sensitivity of information being shared. Ideally, vendors should be able to explain their information security controls, how they will handle and store the data, whether or not the vendor’s employees are trained in managing personal and sensitive information, and the steps vendor will take should a security incident occur.
Incorporate Contract Risk-Shifting Provisions
A crucial part of the relationship between organization and third-party vendors is the service contract. Any contract involving the transfer of data from your organization elsewhere should contain language stating that:
1. All sensitive information be secured an appropriate risk level (higher sensitivity information should have more stringent protections, and vice versa).
2. The information shared only be used for contracted purposes.
3. Third-party vendor employees with access to your data maintain confidentiality (potentially through a separate confidentiality agreement).
4. The third-party vendor indemnifies your organization for any legal claims relating to the vendor’s use of your data.
5. Any security incidents involving your data should be reported promptly and in detail.
Takeaways
As illustrated above, it is important for organizations to ensure that third-party vendors manage your information with security and care, appropriate to the sensitivity of the data being shared. While Kohl’s was not directly breached, their failure to ensure its vendor’s security measures led have now led to legal, financial, operational, and reputational harm to the business.
How We Can Help
If your organization is looking for a third-party vendor risk management program, please do not hesitate to schedule a consultation in the Book Now or Services pages.
Authored by: Eric Mason
